diff options
| author | Vladimír Čunát <vladimir.cunat@nic.cz> | 2024-01-02 11:18:31 +0100 |
|---|---|---|
| committer | Vladimír Čunát <vladimir.cunat@nic.cz> | 2024-02-12 11:19:57 +0100 |
| commit | eccb8e278c1cde0548cc570eac619feaa290cede (patch) | |
| tree | 153e1f5613ca201eaabf0aaf110585eced145df3 /lib/layer/validate.c | |
| parent | validator: lower the NSEC3 iteration limit (150 -> 50) (diff) | |
| download | knot-resolver-eccb8e278c1cde0548cc570eac619feaa290cede.tar.xz knot-resolver-eccb8e278c1cde0548cc570eac619feaa290cede.zip | |
validator: similarly also limit excessive NSEC3 salt length
Limit combination of iterations and salt length, based on estimated
expense of the computation. Note that the result only differs for
salt length > 44 which is rather nonsensical and very rare:
https://chat.dns-oarc.net/community/pl/h58qx9sjkbgt9dajb7x988p78a
Diffstat (limited to '')
| -rw-r--r-- | lib/layer/validate.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/lib/layer/validate.c b/lib/layer/validate.c index 17f90740..1b1237da 100644 --- a/lib/layer/validate.c +++ b/lib/layer/validate.c @@ -128,14 +128,15 @@ static bool maybe_downgrade_nsec3(const ranked_rr_array_entry_t *e, struct kr_qu const knot_rdataset_t *rrs = &e->rr->rrs; knot_rdata_t *rd = rrs->rdata; for (int j = 0; j < rrs->count; ++j, rd = knot_rdataset_next(rd)) { - if (knot_nsec3_iters(rd) > KR_NSEC3_MAX_ITERATIONS) + if (kr_nsec3_limited_rdata(rd)) goto do_downgrade; } return false; do_downgrade: // we do this deep inside calls because of having signer name available - VERBOSE_MSG(qry, "<= DNSSEC downgraded due to NSEC3 iterations %d > %d\n", - (int)knot_nsec3_iters(rd), (int)KR_NSEC3_MAX_ITERATIONS); + VERBOSE_MSG(qry, + "<= DNSSEC downgraded due to expensive NSEC3: %d iterations, %d salt length\n", + (int)knot_nsec3_iters(rd), (int)knot_nsec3_salt_len(rd)); qry->flags.DNSSEC_WANT = false; qry->flags.DNSSEC_INSECURE = true; rank_records(qry, true, KR_RANK_INSECURE, vctx->zone_name); |